The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

The past month or so has been a really bad one for US retailers when it comes to information security - both Target and Neiman Marcus have had high profile data breaches. And while the public and the industry are wringing their hands about the ongoing nature and root causes of these problems, it's important to take a step backwards and look at some of the broader causes for these problems. I'm not going to focus on the minutiae related to specific reasons for each breach (a case in point, the interesting news that RAM scraping was the root cause for these most recent issues). Root-cause analysis can sometimes be flawed - while focusing on a causal analysis of individual situations can ensure the exact same loss won't happen again, it does little to impact on the underlying causes of the data loss.

A recent post by security vendor BitSight reflected on this and, in light of the recent attacks, revisited its external security measurement, specifically across the retail sector. The most recent report (available with registration here) was sobering - it found a heightened level of malicious activity being suffered by the retail industry, and surprisingly a reduction in the BitSight rating (a measure of how effectively organizations are battling threats) across the retail sector across 2013. While BitSight has no access to internal data, its analysis of external data does correlate with attacks that have become public - both Target and Neiman Marcus showed increased malicious activity in November and December of 2013.

BitSight analyzed 139 U.S. retailers (including Target, Wal-Mart, CVS, but excluding supermarkets) from November 1, 2013 through January 12, 2014 and found 1,035 distinct infections communicating out from corporate networks, a worrying 7.5 on average per company. Many of these malware strains take advantage of system vulnerabilities with the objective of enabling backdoor access to corporate as well as consumer systems.

Most worryingly however is the assertion by BitSight that Target and Neiman Marcus, the two known retailers with issues, didn't in fact have the lowest ratings of all the retail organizations they surveyed - leading BitSight to predict more high-profile data breaches in the retail sector this coming year. BitSight's co-founder and CTO, Stephen Boyer, was cagey about who actually scored lower saying:

We cannot reveal the names of the companies that rated below Target and NM. However, we can say that 40% of the companies we assessed (retailers in the Fortune 200) rated lower than Target and NM.

It's a worrying trend and leads BitSight to make the prediction that we will see more security breaches in the retail industry as we head into 2014. Maybe it's time to head back to the local farmer's market huh?